Skip Menu |
 

From: Ken Raeburn <raeburn@MIT.EDU>
Subject: gsstest doesn't like krb5-1.6 GSSAPI library
Date: Wed, 21 Feb 2007 22:51:35 -0500
To: krb5-bugs@MIT.EDU
Download (untitled) / with headers
text/plain 1.8KiB
I'm playing with gsstest-1.26 (the latest on the SAP FTP site, though
I've seen mentions on the net of a 1.27 which I haven't tracked down)
and the 1.6 branch.

First problem: gss_canonicalize_name returns a name that will be
rejected by gss_release_name in the mechglue code because the
"loopback" field is not set properly. With that problem quickly
hacked around, it's still reporting three problem cases:

TEST: acquiring *default* accepting credentials (simple)
Status: gss_inquire_cred Acc() == (GSS_S_DEFECTIVE_CREDENTIAL)
gss_display_status(0x000a0000,GSS_S_GSS_CODE) =
"Invalid credential was supplied"
RESULT NOT ok (rc=1)

It looks like acquiring the default acceptor credentials doesn't
produce an error, but calling gss_inquire_cred on the result to get a
name out does, because internally it tries to import an empty name.
(Acquiring the acceptor credentials by name was a previous test, and
worked fine.)

TEST: acquiring *default* accepting credentials (query)
Status: gss_inquire_cred Acc() == (GSS_S_DEFECTIVE_CREDENTIAL)
gss_display_status(0x000a0000,GSS_S_GSS_CODE) =
"Invalid credential was supplied"
RESULT NOT ok (rc=1)

The "query" version of this test looks at the name in the acquired
credentials, plays some games with exporting and importing and
canonicalizing the name, then tries to acquire credentials using the
resulting name.

TEST: Trying gss_import_name() with ""
Status: gss_import_name() == (GSS_S_CALL_INACCESSIBLE_READ|
GSS_S_BAD_NAME)
gss_display_status(0x01020000,GSS_S_GSS_CODE) =
"A required input parameter could not be read"
"An invalid name was supplied"
ERROR: gss_import_name() didn't return GSS_S_BAD_NAME or GSS_S_FAILURE!
RESULT NOT ok (rc=1)

The test program uses an empty string, not a null or invalid pointer,
so INACCESSIBLE_READ is probably incorrect.

Ken
From: raeburn@mit.edu
Subject: SVN Commit
Initialize "loopback" field in newly allocated name structure.

Commit By: raeburn



Revision: 19170
Changed Files:
U trunk/src/lib/gssapi/mechglue/g_canon_name.c
From: raeburn@mit.edu
Subject: SVN Commit
If a reflection is detected, zap the message buffer pointer output
argument as well as actually freeing the buffer. (Found while using
the gsstest option to exercise error conditions.)

Commit By: raeburn



Revision: 19171
Changed Files:
U trunk/src/lib/gssapi/krb5/k5unseal.c
From: raeburn@mit.edu
Subject: SVN Commit
When importing a name with a valid (non-null) handle but a zero
length, set GSS_S_BAD_NAME but not GSS_S_CALL_INACCESSIBLE_READ.

Commit By: raeburn



Revision: 19172
Changed Files:
U trunk/src/lib/gssapi/mechglue/g_imp_name.c
The gsstest program seems to assume that the pre-rfc1964 OID for krb5 will be chosen as the
default by the loaded library, not the rfc1964 OID. With a tweak to the program to reverse that,
and the patches checked in so far, gsstest seems happy now except for the two problems
relating to acquiring default acceptor credentials.

The problem seems to be that the mechglue code saves away a null pointer and zero length for
the name for the default credentials, and when inquired for the name, tries to import that
invalid name string internally, and reports an error. So acquire_creds works and returns a
credential handle, but inquire_cred calls it invalid.
Split off the acceptor credentials issue into a separate ticket 5450.

The rest of this is finished, and can be pulled up to release branches.
From: tlyu@mit.edu
Subject: SVN Commit
pull up r19170 from trunk

r19170@cathode-dark-space: raeburn | 2007-02-22 17:57:34 -0500
ticket: 5445
status: open

Initialize "loopback" field in newly allocated name structure.



Commit By: tlyu



Revision: 19185
Changed Files:
_U branches/krb5-1-6/
U branches/krb5-1-6/src/lib/gssapi/mechglue/g_canon_name.c
From: tlyu@mit.edu
Subject: SVN Commit
pull up r19171 from trunk

r19171@cathode-dark-space: raeburn | 2007-02-23 19:56:23 -0500
ticket: 5445
status: open

If a reflection is detected, zap the message buffer pointer output
argument as well as actually freeing the buffer. (Found while using
the gsstest option to exercise error conditions.)



Commit By: tlyu



Revision: 19186
Changed Files:
_U branches/krb5-1-6/
U branches/krb5-1-6/src/lib/gssapi/krb5/k5unseal.c
From: tlyu@mit.edu
Subject: SVN Commit
pull up r19172 from trunk

r19172@cathode-dark-space: raeburn | 2007-02-23 19:58:05 -0500
ticket: 5445
status: open

When importing a name with a valid (non-null) handle but a zero
length, set GSS_S_BAD_NAME but not GSS_S_CALL_INACCESSIBLE_READ.



Commit By: tlyu



Revision: 19187
Changed Files:
_U branches/krb5-1-6/
U branches/krb5-1-6/src/lib/gssapi/mechglue/g_imp_name.c
[tlyu - Tue Feb 27 17:41:27 2007]:

Show quoted text
> pull up r19171 from trunk
>
> r19171@cathode-dark-space: raeburn | 2007-02-23 19:56:23 -0500
> ticket: 5445
> status: open
>
> If a reflection is detected, zap the message buffer pointer output
> argument as well as actually freeing the buffer. (Found while using
> the gsstest option to exercise error conditions.)
>
>
>
> Commit By: tlyu
>
>
>
> Revision: 19186
> Changed Files:
> _U branches/krb5-1-6/
> U branches/krb5-1-6/src/lib/gssapi/krb5/k5unseal.c


For the record, this is the vulnerability described in MITKRB5-SA-2007-003.